Friday, September 28, 2007

Google XSS Exploit May Show Some Private Data

In the recent days, an unusually high amount of Google-related security issues have been reported on the web. For instance, one developer was reportedly able to insert a backdoor into Gmail by luring people onto a specially prepared webpage, exposing private data. In not all, but many of these exploits, the problem is that your Google Account cookie can be stolen via so-called cross-site scripting (XSS) attacks; “cross-site”, because the cookie info wanders from Google.com (where it’s supposed to be read) to SomeRandomAbuserDomain.com (where it’s not supposed to be read). Basically, such an attack can be executed when someone finds a way to publish their own, free-style HTML/ JavaScript onto any *.google.com domain (like Google Calendar, Google Docs, Google Reader, Google News and so on).

Now, co-editor Tony Ruscoe stumbled upon another XSS vulnerability. By posting his specially prepared file of the Google Docs family which exploits a non-standard, incorrect Internet Explorer behavior, and then pushing me as experimental “victim” onto this file by sending me a link I clicked, Tony was able to get a Google Account cookie of mine, as I was previously logged-in to Google. (Tony did not need to point me to a domain of his, I was only accessing Google-hosted content; I did have to use Internet Explorer though, as it didn’t work with Firefox.) Google security has been informed about this vulnerabiliy and we won’t disclose how to reproduce this for now to give Google time to fix it.

Now, here’s what Tony was able to do with the cookie (as opposed to how a real attacker would act, he only did this after I gave him permission, of course):

Read my Gmail email subject lines and the first words of my mails. This was possible by including a Gmail gadget onto iGoogle, using the extra-wide tab layout.

Access my Google Analytics statistics, including stats of external sites that had been shared with my account.

View many of my iGoogle gadgets, e.g. a Todo list.

Access the full contents of my non-public Google Notebook notes/ non-public notes that had been shared with me by others.

Check my Google Reader.

See the names of my Docs, Spreadsheets and Presentations files.

Here’s what Tony was specifically not able to do:

He didn’t see my full emails.

He didn’t see any of the content of my Google Docs, Spreadsheets or Presentations.

He didn’t see all of my iGoogle gadgets, e.g. a Google Talk gadget required another log-in.

He wasn’t able to compromise my account login/ password, e.g. change it to then fully access my Google services.

Below are some of the screenshots Tony took while exploring my Google account:

In other words, this stealing from the cookie jar can be risky for the victim, but it must not be completely dramatic in all cases. Even so, it’s another reminder how the growingly powerful Google Account framework not only offers more power to lazy people (you don’t need to sign-in to Google services over and over), but also more power to abusers. All that’s needed to start most of these attacks is a bug or oversight in one of the many Google services, and a victim who visits a prepared webpage. If you want to be save from this, you can always log-out of your Google account when not using Gmail and other services, and try to not view pages you don’t trust (and try not to follow to pages you may think you trust, but which have been sent to you by non-trusted people).